DTP Attack
What is DTP Attack?
DTP AttackAn attack that abuses Cisco Dynamic Trunking Protocol on an access port to negotiate a trunk with the switch and gain access to multiple VLANs.
DTP (Dynamic Trunking Protocol) is a Cisco-proprietary protocol that lets two switches automatically negotiate whether a link should become an 802.1Q trunk. Many access ports are left in the default dynamic auto or dynamic desirable mode, so an attacker can send DTP frames from a host (Yersinia, scapy) and convince the switch to form a trunk to the attacker. Once trunked, the attacker can tag frames into any allowed VLAN and reach segments that should be isolated, often used as the entry vector for switch-spoofing VLAN hopping. Defenses: configure all user-facing ports as 'switchport mode access' and 'switchport nonegotiate', limit allowed VLANs on trunks, and disable DTP globally on modern designs.
● Examples
- 01
Yersinia DTP attack forcing an access port into trunk mode and exposing all VLANs.
- 02
Using a Linux host with vconfig and a forged DTP frame to extend reach to the voice VLAN.
● Frequently asked questions
What is DTP Attack?
An attack that abuses Cisco Dynamic Trunking Protocol on an access port to negotiate a trunk with the switch and gain access to multiple VLANs. It belongs to the Attacks & Threats category of cybersecurity.
What does DTP Attack mean?
An attack that abuses Cisco Dynamic Trunking Protocol on an access port to negotiate a trunk with the switch and gain access to multiple VLANs.
How does DTP Attack work?
DTP (Dynamic Trunking Protocol) is a Cisco-proprietary protocol that lets two switches automatically negotiate whether a link should become an 802.1Q trunk. Many access ports are left in the default dynamic auto or dynamic desirable mode, so an attacker can send DTP frames from a host (Yersinia, scapy) and convince the switch to form a trunk to the attacker. Once trunked, the attacker can tag frames into any allowed VLAN and reach segments that should be isolated, often used as the entry vector for switch-spoofing VLAN hopping. Defenses: configure all user-facing ports as 'switchport mode access' and 'switchport nonegotiate', limit allowed VLANs on trunks, and disable DTP globally on modern designs.
How do you defend against DTP Attack?
Defences for DTP Attack typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for DTP Attack?
Common alternative names include: Dynamic Trunking Protocol abuse, Trunk negotiation attack.
● Related terms
- attacks№ 1207
VLAN Hopping
A switch attack that lets a host send or receive frames in a VLAN it should not belong to by abusing trunking negotiation or 802.1Q double tagging.
- attacks№ 1072
Spanning-Tree Protocol Attack
A Layer-2 attack that injects forged BPDU frames to manipulate the Spanning-Tree topology, often electing the attacker's host as the root bridge to enable MITM or DoS.
- attacks№ 062
ARP Spoofing
A local-network attack that sends forged ARP messages to bind the attacker's MAC address to another host's IP, redirecting traffic through the attacker.
- attacks№ 312
DHCP Spoofing
An attack in which an adversary replies to DHCP requests with crafted offers to push a malicious gateway, DNS server, or other options to victim clients.
- attacks№ 944
Rogue DHCP Server
An unauthorized DHCP server connected to a network that hands out IP configurations to clients, intentionally or accidentally redirecting traffic to attacker-controlled infrastructure.